diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index 91b5a7897..6ad4e1fc6 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -20,8 +20,11 @@ module "vpc-sc" {
combining_function = "AND"
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
+ required_access_levels = null
members = []
negate = false
+ device_policy = null
+ regions = null
}]
}
}
@@ -60,8 +63,11 @@ module "vpc-sc" {
combining_function = "AND"
conditions = [{
ip_subnetworks = ["85.85.85.52/32"]
+ required_access_levels = null
members = []
negate = false
+ device_policy = null
+ regions = null
}]
}
}
@@ -101,7 +107,7 @@ module "vpc-sc" {
| access_policy_title | Access Policy title to be created. | string | ✓ | |
| organization_id | Organization id in organizations/nnnnnn format. | string | ✓ | |
| *access_level_perimeters* | Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run' | map(map(list(string))) | | {} |
-| *access_levels* | Access Levels. | map(object({...})) | | {} |
+| *access_levels* | Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate, device_policy or regions'. | map(object({...})) | | {} |
| *perimeter_projects* | Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'. | map(map(list(number))) | | {} |
| *perimeters* | Set of Perimeters. | map(object({...})) | | {} |
diff --git a/modules/vpc-sc/main.tf b/modules/vpc-sc/main.tf
index cf2f2b037..7e0d13dcd 100644
--- a/modules/vpc-sc/main.tf
+++ b/modules/vpc-sc/main.tf
@@ -44,13 +44,23 @@ resource "google_access_context_manager_access_level" "default" {
dynamic "basic" {
for_each = try(toset(each.value.conditions), [])
+ iterator = condition
content {
combining_function = try(each.value.combining_function, null)
conditions {
- ip_subnetworks = try(basic.value.ip_subnetworks, null)
- members = try(basic.value.members, null)
- negate = try(basic.value.negate, null)
+ ip_subnetworks = try(condition.value.ip_subnetworks, null)
+ required_access_levels = try(condition.value.required_access_levels, null)
+ members = try(condition.value.members, null)
+ negate = try(condition.value.negate, null)
+ device_policy {
+ require_screen_lock = try(condition.value.device_policy.require_screen_lock, null)
+ allowed_encryption_statuses = try(condition.value.device_policy.allowed_encryption_statuses, null)
+ allowed_device_management_levels = try(condition.value.device_policy.allowed_device_management_levels, null)
+ require_admin_approval = try(condition.value.device_policy.require_admin_approval, null)
+ require_corp_owned = try(condition.value.device_policy.require_corp_owned, null)
+ }
+ regions = try(condition.value.regions, null)
}
}
}
diff --git a/modules/vpc-sc/variables.tf b/modules/vpc-sc/variables.tf
index d66b4370d..4f1fc51f8 100644
--- a/modules/vpc-sc/variables.tf
+++ b/modules/vpc-sc/variables.tf
@@ -15,13 +15,22 @@
*/
variable "access_levels" {
- description = "Access Levels."
+ description = "Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate, device_policy or regions'."
type = map(object({
combining_function = string
conditions = list(object({
- ip_subnetworks = list(string)
- members = list(string)
- negate = string
+ ip_subnetworks = list(string)
+ required_access_levels = list(string)
+ members = list(string)
+ negate = string
+ device_policy = object({
+ require_screen_lock = bool
+ allowed_encryption_statuses = string
+ allowed_device_management_levels = string
+ require_admin_approval = bool
+ require_corp_owned = bool
+ })
+ regions = list(string)
}))
}))
default = {}
diff --git a/tests/modules/compute_mig/test_plan.py b/tests/modules/compute_mig/test_plan.py
index 194ecfe3d..81e6a313a 100644
--- a/tests/modules/compute_mig/test_plan.py
+++ b/tests/modules/compute_mig/test_plan.py
@@ -61,7 +61,7 @@ def test_autoscaler(plan_runner):
assert autoscaler['type'] == 'google_compute_autoscaler'
assert autoscaler['values']['autoscaling_policy'] == [{
'cooldown_period': 60,
- 'cpu_utilization': [{'target': 65}],
+ 'cpu_utilization': [{'predictive_method': 'NONE', 'target': 65}],
'load_balancing_utilization': [],
'max_replicas': 3,
'metric': [],